Remote into DMZ FTP

I have a Sonicwall TZ 215. It has been set up for me and is working fine. It has been set up with 2 subnets (192.168.1.0 & 192.168.2.0) for local traffic. These 2 networks are designed to not talk to each other. However, on the 192.168.1.0 there is a DMZ that has our FTP site. I need to occasionally maintenance that computer and would like to know a technique that would allow me to remote into it through the firewall. I am familiar with NetExtender and have had great success remoting into my work PC from home using it.

Can anyone point me in the direction of what I need to do to allow only my PC to be able to remote into that computer?

In SSL-VPN > Client Routes just change your Client Routes to reflect the DMZ network.
Then under Users > Local users in the VPN Access Tab select the DMZ network object for the VPN Client Access Networks.

you can always NAT manually sets of ports to allow both passive and active ftp but it would be much simpler if you could use another protocol such as sftp which would operate using a single port

if you want to go the ftp way, this post describes a working setuphttp://www.petri.co.il/forums/showthread.php?t=52231
it could be made a little more restrictive, though and you obviously can restrict all of it to your home address if you do not want the ftp server to be world-accessible

0

lordzackAuthor Commented: 2013-10-23

I was unable to get it to work but I'll continue to work on a solution.

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

as long as the access is limited to one or a few known ips it seems acceptable.

additionally, most VPNs don't actually offer much better encryption then let's say vnc over SSH (which is built in tightvnc) or over SSL which is builtin most of them. and rdp features ssl and kerberos.

VPNs also make the client machine part of the server's network. chances that viruses transit through are roughly the same as between 2 machines in a local LAN. chances that a virus transit through a vnc connection is near zero.

@skullnobrains - All of those options are still susceptible to man-in-the-middle attacks. VNC, in general, has major security flaws/vulnerabilities - defcon 15-20. RDP is one of the worst offenders too plus it breaks the layered security architecture. With a VPN you only gain access to the network...you then still have to access the resource layer. Irrespectively, it's not a security best practice to open RDP ports up even if you are limiting the scope to one ISP.

RE: virus outbreaks...last time we dealt with that was in 2005, literally. If you setup layered security properly with the right products; virus infections, proliferation & dissemination are really a thing of the past...at least for us and our clients. Also, you can mitigate this using various methods but here are a few: a) SonicWALL tunnels have layered aggression and protection using CGSS, and/or b) simply use forced AV endpoint protection through SonicWALL - so in either case...there is nothing to worry about, but again even without implementing these methods, if you are using the right products with the correct configuration and have a properly layered security architecture...this is moot point.

as far as security is concerned
- any security that the admin does not fully understand is a threat. using VPNs when you're not familiar with the pros and cons is not really a good idea... and it is really overkill in this situation
- opening a port, possibly over an ssh tunnel is globally less dangerous than putting a remote machine in your network. that is especially true when that machine has no reason to be in the network in the first place
- 2005 ? pretty good ! (actually i have not detected a virus since 2000-2001 and all the windows machines i dealt with went through sasser unharmed. including quite a few home computers directly facing the internet without a firewall). but as far as i know, more than 50% of the home computer running windows are infected worldwide even though most people are now behind a NAT router and even microsoft managed to put a little security in their os. the main difference since 2005 is that there were still a few viruses around that had a goal to just mess with your computer, while almost 100% malware today just want to turn your computer into a bot. these malware try to fly under the radar which is getting easy nowadays given the performance of home computers and internet connections.
- layered security with the right products ? sure i do agree with that : ban windows altogether, use a dedicated lan segment for each machine facing the internet. jail the corresponding processes. don't give those hosts any kind of access to other hosts (for example don't ever think of sticking a machine that is part of a domain in a DMZ), don't ever run a network service on a non dedicated account, make sure that account has no unneeded privilege (forget about root, system, network daemon, and other similar accounts), use reverse proxies, use open source software including for your firewall...